If you have not already heard about the European Union’s General Data Protection Regulation, it is time to start listening. The legislation affects small, medium and large companies across Europe and the rest of the world. The cut-off date for compliance on 25 May is very close and, according to the Federation of Small Businesses, fewer than one in 10 small companies in Britain are prepared.
This figure is in line with the European Commission’s announcement in January that, of the European Union’s 28 member states, only Austria and Germany demonstrated clear changes to their legislation ahead of the regulation becoming law. The commission’s hard-line approach on adequacy levels for data protection leaves many countries outside Europe ill-equipped to cope with the change in data-processing laws. Currently only Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US meet the commission’s adequacy requirements. All other countries are deemed non-compliant.
Privacy and data protection is a big and expensive business. No company collecting and processing the data of EU individuals is exempt from the legislation and the penalties for non-compliance are up to €20m, or 4% of annual global turnover for smaller businesses, whichever is larger. One of the most common misconceptions about the GDPR is that if a company operates outside the EU, the rules are not binding. This would only be the case if the company were not processing any personal data from people living in the EU.
What has changed with regards to data protection? The simple answer is the way that companies collect, store and maintain data must be at the heart of business operations. Under the GDPR, individuals are given more control over the way companies handle their data, including the right to request all the personal data being held about them, the right to ask for their data to be erased and the right to opt in.
Moreover, it is important that organisations recognise that being GDPR compliant is not simply a data audit, it is a major security test. The integrity of the data does not just refer to how and why it is collected by the business, but how secure the systems are that store it.
The UK information commissioner’s office has reminded all businesses – no matter the size – that there is no grace period for non-compliance. However, if organisations can demonstrate a willingness to comply with the GDPR by showing that appropriate systems and thinking are in place, they will be looked on kindly with regard to any data breaches.
The International Association of Privacy Professionals estimates that in Europe alone at least 28,000 data protection officers will have been hired, and 75,000 new data protection officers are being recruited globally. With the average salary of a data protection officer usually more than £60,000, these numbers add up.
The demand for expertise in businesses of every size is higher than what has been seen historically and a new business segment has been created. Additional investment in staff engagement programmes, training and in-house GDPR project managers have become the norm.
Companies that do not take the new legislation seriously risk damage to their reputations. Avoiding non-compliance is imperative for all organisations. A GDPR compliance and maintenance structure should remain an important and evolving operation that is closely monitored well beyond 25 May 2018.
Sarah Butler is Deputy Head of Development at OMFIF, and is responsible for GDPR compliance.